5 Replies Latest reply on Aug 25, 2016 7:47 AM by cdobol

    ENS 10.1 FW - LAG Groups Using Connection-specific DNS Suffix

    cdobol

      I have noticed that LAG rules using connection-specific DNS Suffix are still being applied even though the active network adapter does not have the suffix I have specified.  It appears if there is any reference to a DNS suffix in enabled/disabled/inactive adapters and you have a LAG rule for that suffix it will apply those rules.... Obviously this is a fairly big issue.   I am using 10.1.1.1200 version of ENS FW.

       

      Has any one else noticed this or is there something I am missing?

        • 1. Re: ENS 10.1 FW - LAG Groups Using Connection-specific DNS Suffix
          cdobol

          hello wouterr.  No sure where your post went...

           

          but thank you for your reply....  I currently have a SR open for this.  What I am seeing is our internal FW rules (by DNS suffix) are still being used with my home connection.   For example, internally we allow incoming pings, outside we do not.  Outside vs. inside is determined via DNS suffix.  When I take my machine home, I am still able to ping the machine even though my DNS Suffix of the active adapter is not the internal one.  I checked the FW logs, and it does look like the internal DNS Suffix rules are being applied even though the active adapter I was using had a different DNS Suffix.    I'll post any findings here, as this potential issue will delay our ENS FW rollout.

          • 2. Re: ENS 10.1 FW - LAG Groups Using Connection-specific DNS Suffix
            cdobol

            SR is still open for this as they have been reviewing the logs for a week+ now.   I assume its a bug considering they haven't asked me for further information; its been a little frustrating dealing with McAfee's very slow response to this issue.

            • 3. Re: ENS 10.1 FW - LAG Groups Using Connection-specific DNS Suffix
              wouterr

              Hey Cdobol,

               

              As we are running a mixed VSE/ENS environment and have to manage firewalls on both types of clients we are using the HIPS firewall together with ENS TP.

              Also we have noticed our ENS firewall policies get corrupted if we try to modify a HIPS firewall rule in the catalog. So in short we are using the HIPS FW on all our systems. My previous post was based on this setup (so related to the HIPS FW in stead of ENS FW), that's why i deleted it.

               

              Now in short I also did a little test with the ENS10 FW. I linked a policy with a rule group which is enabled/disabled based on a LAG which checks a specific registry value. I did also notice some inconsistent behaviour, as the rule group did not seem to get activated.

               

              note: in ENS10 you can check the status of the LAG's by enabling the firewall debug logging in the Endpoint Security Common  > Options policy.

              • 4. Re: ENS 10.1 FW - LAG Groups Using Connection-specific DNS Suffix
                cdobol

                A LAG group I have is definitely being applied when it should not be.  Engineering has been looking at it for the past week.   I'm expecting them to tell me its a bug at some point.  I'll post here when I finally get clarification what the root issue is.

                • 5. Re: ENS 10.1 FW - LAG Groups Using Connection-specific DNS Suffix
                  cdobol

                  Not sure if anyone else is using LAG rules with DNS-connection suffix, but there is/has been a bug that is still there in 10.2.  Been trying to get them to fix this since June.  Its a pretty major bug depending how you are using your LAG rules.  Pretty much provides no protection to the endpoint if you are using LAG DNS Suffix rule for internal/external criteria.